Get unencrypted Secret content from etcd in Kubernetes

Create a Secret first:

kubectl create secret generic secret1 --from-literal=password=secret1pass

Get etcd certs paths:

cat /etc/kubernetes/manifests/kube-apiserver.yaml |grep etcd

Check the health of etcd using these certificate paths:

ETCDCTL_API=3 etcdctl endpoint health \
--cacert /etc/kubernetes/pki/etcd/ca.crt \
--cert /etc/kubernetes/pki/apiserver-etcd-client.crt \
--key /etc/kubernetes/pki/apiserver-etcd-client.key

You should get the success responce.
Next, get created Secret in plain text (if it is not encrypted):

ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 \
--cacert /etc/kubernetes/pki/etcd/ca.crt \
--cert /etc/kubernetes/pki/apiserver-etcd-client.crt \
--key /etc/kubernetes/pki/apiserver-etcd-client.key

As you can see, it sometimes is kept in plain text which is security risk.